docs: add v4.3.1 release notes (#93)

Author: neverinfamous

releases/v4.3.1.md

@@ -0,0 +1,68 @@
+# v4.3.1 - OutputSchema Fix & CVE Remediations
+
+Released: February 5, 2026
+
+## Highlights
+
+- **OutputSchema Fix** — Fixed `get_cross_project_insights` validation error on empty results
+- **Security Patches** — Remediated 3 CVEs in Docker image (libexpat CRITICAL, tar HIGH)
+- **Dependency Updates** — MCP SDK 1.26.0 and other updates
+
+---
+
+## Fixed
+
+### `get_cross_project_insights` OutputSchema Validation
+
+When no projects met the minimum entry threshold, the tool returned only `message` and `projects` fields, failing outputSchema validation.
+
+**Now returns all required fields:**
+- `project_count: 0`
+- `total_entries: 0`
+- `inactive_projects: []`
+- `time_distribution: []`
+- `message` (with explanation)
+- `projects: []`
+
+---
+
+## Security
+
+### CVE-2026-24515 (libexpat) — CRITICAL
+
+Null pointer dereference vulnerability. Fixed by explicitly installing libexpat from Alpine edge repositories in Dockerfile.
+
+### CVE-2026-25210 (libexpat) — MEDIUM
+
+Integer overflow leading to information disclosure. Same fix as CVE-2026-24515.
+
+### CVE-2026-24842 (tar) — HIGH
+
+Path traversal vulnerability in npm's bundled tar package. Updated from 7.5.4 → 7.5.7 in Dockerfile.
+
+---
+
+## Changed
+
+### Dependency Updates
+
+| Package | From | To |
+|---------|------|-----|
+| `@modelcontextprotocol/sdk` | 1.25.3 | 1.26.0 |
+| `@types/node` | 25.0.10 | 25.2.0 |
+| `commander` | 14.0.2 | 14.0.3 |
+| `globals` | 17.1.0 | 17.3.0 |
+
+---
+
+## Upgrade
+
+```bash
+# npm
+npm update -g memory-journal-mcp
+
+# Docker
+docker pull writenotenow/memory-journal-mcp:v4.3.1
+```
+
+**Full Changelog**: https://github.com/neverinfamous/memory-journal-mcp/wiki/CHANGELOG